Login Sign Up

CVE-2020-19316

8.8 HIGH
Remote Code Execution

📋 TL;DR

This CVE describes an OS command injection vulnerability in Laravel's Filesystem.php link function. It allows attackers to execute arbitrary operating system commands on the server by manipulating symlink creation. All Laravel applications using the affected framework versions are vulnerable if they use the link() method.

💻 Affected Systems

Products:
  • Laravel Framework
Versions: All versions before 5.8.17
Operating Systems: All operating systems running Laravel
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the Filesystem component's link() method. Applications must use this method to be exploitable.

📦 What is this software?

Framework by Laravel

View all CVEs affecting Framework →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing remote code execution, data exfiltration, lateral movement, and complete system takeover.

🟠

Likely Case

Arbitrary command execution leading to web shell installation, data theft, or service disruption.

🟢

If Mitigated

Limited impact due to proper input validation, restricted permissions, and network segmentation.

🌐 Internet-Facing: HIGH - Web applications are directly accessible and the vulnerability can be exploited remotely.
🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but have reduced attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires attacker to control input to the link() method. Public proof-of-concept demonstrates command injection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.8.17

Vendor Advisory: https://github.com/laravel/framework/commit/44c3feb604944599ad1c782a9942981c3991fa31

Restart Required: No

Instructions:

1. Update Laravel framework to version 5.8.17 or later. 2. Run 'composer update laravel/framework'. 3. Test application functionality.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation and sanitization for all parameters passed to the link() method.

Method Avoidance

all

Avoid using the vulnerable link() method in Filesystem.php until patched.

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block command injection patterns.
  • Restrict filesystem permissions and run Laravel with least privilege user accounts.

🔍 How to Verify

Check if Vulnerable:

Check Laravel version in composer.json or run 'php artisan --version'. If version is below 5.8.17, check if application uses Filesystem::link() method.

Check Version:

php artisan --version

Verify Fix Applied:

Confirm Laravel version is 5.8.17 or higher using 'php artisan --version'. Review code to ensure link() method calls are properly validated.

📡 Detection & Monitoring

Log Indicators:

  • Unusual symlink creation attempts
  • Command execution patterns in application logs
  • Filesystem permission errors

Network Indicators:

  • Unexpected outbound connections from web server
  • Suspicious POST requests with shell commands

SIEM Query:

source="laravel.log" AND ("symlink" OR "link()" OR "exec(" OR "system(")

📊 Metadata

CVE ID: CVE-2020-19316
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: December 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-19316, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)